Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlmNDYtNXIyNS01d2Zt
Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem
Impact
The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.
The conditions:
- A user is allowed to supply the path or filename of an uploaded file.
- The supplied path or filename is not checked against unicode chars.
- The supplied pathname checked against an extension deny-list, not an allow-list.
- The supplied path or filename contains a unicode whitespace char in the extension.
- The uploaded file is stored in a directory that allows PHP code to be executed.
Given these conditions are met a user can upload and execute arbitrary code on the system under attack.
Patches
The unicode whitespace removal has been replaced with a rejection (exception).
The library has been patched in:
- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32
- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74
Workarounds
For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.
Permalink: https://github.com/advisories/GHSA-9f46-5r25-5wfmJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlmNDYtNXIyNS01d2Zt
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: 10 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-9f46-5r25-5wfm, CVE-2021-32708
References:
- https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm
- https://nvd.nist.gov/vuln/detail/CVE-2021-32708
- https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74
- https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32
- https://packagist.org/packages/league/flysystem
- https://lists.fedoraproject.org/archives/list/[email protected]/message/NWPTENBYKI2IG47GI4DHAACLNRLTWUR5/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ/
- https://github.com/FriendsOfPHP/security-advisories/blob/master/league/flysystem/CVE-2021-32708.yaml
- https://github.com/advisories/GHSA-9f46-5r25-5wfm
Blast Radius: 55.4
Affected Packages
packagist:league/flysystem
Dependent packages: 2,053Dependent repositories: 444,950
Downloads: 472,113,303 total
Affected Version Ranges: >= 2.0.0, < 2.1.1, < 1.1.4
Fixed in: 2.1.1, 1.1.4
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.20, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.9, 0.5.10, 0.5.11, 0.5.12, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.0.12, 1.0.13, 1.0.14, 1.0.15, 1.0.16, 1.0.17, 1.0.18, 1.0.19, 1.0.20, 1.0.21, 1.0.22, 1.0.23, 1.0.24, 1.0.25, 1.0.26, 1.0.27, 1.0.28, 1.0.29, 1.0.30, 1.0.31, 1.0.32, 1.0.33, 1.0.34, 1.0.35, 1.0.36, 1.0.37, 1.0.38, 1.0.39, 1.0.40, 1.0.41, 1.0.42, 1.0.43, 1.0.44, 1.0.45, 1.0.46, 1.0.47, 1.0.48, 1.0.49, 1.0.50, 1.0.51, 1.0.52, 1.0.53, 1.0.54, 1.0.55, 1.0.56, 1.0.57, 1.0.58, 1.0.59, 1.0.60, 1.0.61, 1.0.62, 1.0.63, 1.0.64, 1.0.65, 1.0.66, 1.0.67, 1.0.68, 1.0.69, 1.0.70, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0
All unaffected versions: 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.23, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0, 3.4.0, 3.5.0, 3.5.1, 3.5.2, 3.6.0, 3.7.0, 3.8.0, 3.9.0, 3.10.0, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.11.0, 3.12.0, 3.12.1, 3.12.2, 3.12.3, 3.13.0, 3.14.0, 3.15.0, 3.15.1, 3.16.0, 3.17.0, 3.18.0, 3.19.0, 3.20.0, 3.21.0, 3.22.0, 3.23.0, 3.23.1, 3.24.0, 3.25.0, 3.25.1, 3.26.0, 3.27.0, 3.28.0, 3.29.0, 3.29.1